From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [Apt 1/1] Clean up Apt module.
Date: Fri, 3 Sep 2010 17:50:14 +0200 [thread overview]
Message-ID: <20100903155010.GA27711@localhost.localdomain> (raw)
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 e4f4850... 1f65fbe... M policy/modules/admin/apt.fc
:100644 100644 e696b80... eaf17d0... M policy/modules/admin/apt.if
:100644 100644 4044710... 9a37f79... M policy/modules/admin/apt.te
policy/modules/admin/apt.fc | 9 +--------
policy/modules/admin/apt.if | 35 ++++++++++++++++++++---------------
policy/modules/admin/apt.te | 9 ---------
3 files changed, 21 insertions(+), 32 deletions(-)
diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
index e4f4850..1f65fbe 100644
--- a/policy/modules/admin/apt.fc
+++ b/policy/modules/admin/apt.fc
@@ -1,21 +1,14 @@
/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
-# apt-shell is redhat specific
/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
-# other package managers
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
-# package cache repository
/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
-# package list repository
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
-# aptitude lock
/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
-# aptitude log
-/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
-# dpkg terminal log
+/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index e696b80..eaf17d0 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Execute apt programs in the apt domain.
+## Execute a domain transition to run Apt.
## </summary>
## <param name="domain">
## <summary>
@@ -15,14 +15,19 @@ interface(`apt_domtrans',`
type apt_t, apt_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, apt_exec_t, apt_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
## <summary>
-## Execute apt programs in the apt domain.
+## Execute a domain transition to run
+## Apt, and allow the specified role
+## the Apt domain.
## </summary>
## <param name="domain">
## <summary>
@@ -31,7 +36,7 @@ interface(`apt_domtrans',`
## </param>
## <param name="role">
## <summary>
-## The role to allow the apt domain.
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
@@ -43,12 +48,11 @@ interface(`apt_run',`
apt_domtrans($1)
role $2 types apt_t;
- # TODO: likely have to add dpkg_run here.
')
########################################
## <summary>
-## Inherit and use file descriptors from apt.
+## Inherit and use file descriptors from Apt.
## </summary>
## <param name="domain">
## <summary>
@@ -67,7 +71,8 @@ interface(`apt_use_fds',`
########################################
## <summary>
-## Do not audit attempts to use file descriptors from apt.
+## Do not audit attempts to use file
+## descriptors from Apt.
## </summary>
## <param name="domain">
## <summary>
@@ -85,7 +90,7 @@ interface(`apt_dontaudit_use_fds',`
########################################
## <summary>
-## Read from an unnamed apt pipe.
+## Read from an unnamed Apt pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -104,7 +109,7 @@ interface(`apt_read_pipes',`
########################################
## <summary>
-## Read and write an unnamed apt pipe.
+## Read and write an unnamed Apt pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -123,7 +128,7 @@ interface(`apt_rw_pipes',`
########################################
## <summary>
-## Read from and write to apt ptys.
+## Read from and write to Apt ptys.
## </summary>
## <param name="domain">
## <summary>
@@ -141,7 +146,7 @@ interface(`apt_use_ptys',`
########################################
## <summary>
-## Read the apt package cache.
+## Read the Apt package cache.
## </summary>
## <param name="domain">
## <summary>
@@ -162,7 +167,7 @@ interface(`apt_read_cache',`
########################################
## <summary>
-## Read the apt package database.
+## Read the Apt package database.
## </summary>
## <param name="domain">
## <summary>
@@ -183,7 +188,7 @@ interface(`apt_read_db',`
########################################
## <summary>
-## Create, read, write, and delete the apt package database.
+## Manage the Apt package database.
## </summary>
## <param name="domain">
## <summary>
@@ -205,8 +210,8 @@ interface(`apt_manage_db',`
########################################
## <summary>
-## Do not audit attempts to create, read,
-## write, and delete the apt package database.
+## Do not audit attempts manage
+## the Apt package database.
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 4044710..9a37f79 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -11,11 +11,9 @@ init_system_domain(apt_t, apt_exec_t)
domain_system_change_exemption(apt_t)
role system_r types apt_t;
-# pseudo terminal for running dpkg
type apt_devpts_t;
term_pty(apt_devpts_t)
-# aptitude lock file
type apt_lock_t;
files_lock_file(apt_lock_t)
@@ -25,15 +23,12 @@ files_tmp_file(apt_tmp_t)
type apt_tmpfs_t;
files_tmpfs_file(apt_tmpfs_t)
-# package cache
type apt_var_cache_t alias var_cache_apt_t;
files_type(apt_var_cache_t)
-# status files
type apt_var_lib_t alias var_lib_apt_t;
files_type(apt_var_lib_t)
-# aptitude log file
type apt_var_log_t;
logging_log_file(apt_var_log_t)
@@ -59,7 +54,6 @@ allow apt_t self:msg { send receive };
# Run update
allow apt_t self:netlink_route_socket r_netlink_socket_perms;
-# lock files
allow apt_t apt_lock_t:dir manage_dir_perms;
allow apt_t apt_lock_t:file manage_file_perms;
files_lock_filetrans(apt_t, apt_lock_t, {dir file})
@@ -75,15 +69,12 @@ manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-# Access /var/cache/apt files
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
-# Access /var/lib/apt files
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
-# log files
allow apt_t apt_var_log_t:file manage_file_perms;
logging_log_filetrans(apt_t, apt_var_log_t, file)
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/fc6c4f65/attachment.bin
reply other threads:[~2010-09-03 15:50 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100903155010.GA27711@localhost.localdomain \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.